New Online Vault and Security

I've been a Roboform (RF) user for what must've been 10 years. Possibly just like a lot of previous users on this forum, I decided to give 1password (OP) a try thanks to (consider him your good friend XD) Paul Moore and his review on RF, in addition to his recommendation for OP. After ignoring his advice for years, my RF subscription is finally coming to an end and I'm ready to switch.

The guy didn't get a crazy amount of attention, but from thesethreearticles, an important take-away for me was that RF's implementation of online vault (roboform everywhere online). After logging into the account and trying to access my password there, I would need to enter master password and the decryption is carried out on server, meaning that they will have my master password no matter how they will handle that information. Paul recommends OP because it did not have an online server, I believe, at the time when he wrote the article.

However, today during my initial contact with OP, it looks like OP has evolved and now hosts its own server in addition to a new subscription structure. So I opened an account for online vault, and surely, I have to enter my MASTER PASSWORD to enter my vault?!

In summary, my concerns are:

1) Why did you choose to make users use master password as the log-in password for online vault? I avoided LastPass for this exact reason. FYI, as insecure as RF's online server is, they at least offered the option to use a different password to log into the online account, and then use master password to decrypt passcards.

2) How is your approach different from RF (and possibly LastPass) in allowing users to access their passwords online? For example, for RF, I log into my online account (again, with a credential independent of my master password, which at least gives me a sense of higher level of security), then enter my master password when I want to check out each individual passcard (and again, they admitted that they would have to decrypt server-side, which is a loop hole in security for the users, to say the least). How is your approach different from the above mentioned approach? For an almost similar user experience between OP and RF, which is to log into an online vault and look up my passwords, how or why do you not have my master password?

To be fair, I have not imported all my passcards into OP vault so I cannot see the full picture here. Please consider this post both an inquiry and an education request.

Thank you for reading!
Sean

P.S. while I'm posting this, I thought I may as well post a separate question:

3) If I go with version 6 and your subscription service, will I still be able to choose to sync over my own cloud server like Dropbox or Google Drive, or maybe OneDrive (because of censorship I experience when I'm traveling to certain countries)?

Comments

@cs88rf: First of all, welcome! I'm glad to hear you've decided to give 1Password a try after all this time. Certainly making a change like this isn't trivial, so it's interesting to hear a bit of your history.

1) Why did you choose to make users use master password as the log-in password for online vault?

As you can probably imagine, a lot of people forget their Master Passwords; regardless of how many times we say "Don't forget your Master Password", it is unfortunately inevitable. So you might also imagine that having another password to remember is another opportunity to forget something important -- and that's why people are using 1Password in the first place: so they don't have to remember all of these! And having a separate password to protect the "online vault" is kind of meaningless, as this would be one of two things: a hoop to jump through not offering any additional security (if you can get the data another way with just the Master Password, for example), or a second password encrypting the vault encrypted with the first password -- which, at that point, you might as well just use a stronger single Master Password, which would offer the same security benefit but be less complicated to deal with.

Now, I know you're probably going to have some objections there, but if you'll bear with me I'll explain what we are doing. It's actually similar to what you're asking for, with a few key differences that make it easier to deal with:

The Account Key is a second piece that's required for your account.

The Account Key is saved on an authorized browser/device, so that it doesn't need to be entered each time.

The Account Key can be accessed from an authorized device so that you can easily authorize a new one.

The Account Key is used to actually strengthen the encryption of your data.

2) For an almost similar user experience between OP and RF, which is to log into an online vault and look up my passwords, how or why do you not have my master password?

Sort of in the same vein, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password for Families, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Account Key is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data. That, to me, makes all the difference. You can read more details on how all of this works in our white paper, and don't hesitate to ask any other questions you may have!

To be fair, I have not imported all my passcards into OP vault so I cannot see the full picture here. Please consider this post both an inquiry and an education request. Thank you for reading!

Totally! Thanks for asking!

P.S. while I'm posting this, I thought I may as well post a separate question:
3) If I go with version 6 and your subscription service, will I still be able to choose to sync over my own cloud server like Dropbox or Google Drive, or maybe OneDrive (because of censorship I experience when I'm traveling to certain countries)?

So far, it seems like people have better luck with 1Password.com than any of those, both with country and company restrictions, but to answer your question, you can still use local vaults alongside 1Password.com vaults if you wish -- with the caveat that the new Windows app currently has only read-only support for them. If you'll give me a better sense of what you're trying to do, I may be able to offer some more concrete suggestions.

Regarding question 3, I meant to use my own cloud service to sync the passcards, e.g. DropBox, Google Drive, or OneDrive. I got to know 1password with the perception that that can be done originally, but it looks like things changed with the new subscription model and version 6?

I got to know 1password with the perception that that can be done originally, but it looks like things changed with the new subscription model and version 6?

Correct, to help simplify the 1Password experience, we've decided to do our own service, so that you don't have to worry about syncing, backups, and knowing various vault passwords to share with family members, guests, co-workers and more. You can find out more on why here: https://support.1password.com/why-account/

You can still choose to use local standalone vaults for now but 1Password 6 for Windows is a brand new program that doesn't have full local vault support yet, you'll have to use 1Password 4 instead or wait until 1Password 6 gain support. We don't have a timeframe on when this would be done.

No worries. Using beta (or in this case, a fresh-start version that is rapidly developing) is within my comfort zone. Will stay with the newest version anyway =D

By the way, choosing OP over dashlane (I was desperately deciding between these two) has very much to do with this awesome support forum. Keep it up! I hope to fully subscribe to OP before my trial ends. I'm currently digging deeper into the file conversion tasks and about to temporarily install RF 6.9 to export full URL.

It was a relatively popular site and I saw suggestions for it elsewhere. But to be safe, I spent more time setting up a virtual environment to install and export all the passcards.

I think RF changed their file format some time in 2010 (approximately when I upgraded to version 7), because on my computer there is a folder called "old format" under My Roboform Data directory. I disregarded this fact and it seems RF6 read most of the files created in RF7 after 2010.

1600 logins are even crazier! I have 750 and am currently having problem with the conversion process. I used great converter made by great MrC but after importing the files, a lot of usernames and passwords lost their attributes and are now placed under notes section in OP. My last resort if this can't be solved would be to just leave them as-is and update each login the next when I visit a website. Please let me know your success rate among 1600 cards and I'll know if I'm doing something wrong.

p.s. I started using RF about 10 years ago and no disrespect to OP, RF does have many neat features and is a more polished product imo. However, with security being to top priorities these days, I am just too afraid to continue my path with that green robot =(

@Daviduk How has the conversion gone? Today is a good day. After more than a week of tuning (from MrC) and giving feedback (from me XD), the latest 1.10 in the testing bits folder works wonder for us RF users. Among my 750ish passcards, I only have a few left that I have to manually correct, because of the crazy field title used by RF. If you haven't already, or if you are not satisfied with the successful conversion rate of RF passcards, give the latest 1.10 a try! I'm a happy camper now waiting for more features to come to 1P

BTW, I believe the more RF users test the converter, the better this converter will improve. As you mentioned you have twice as many passcards than I do, so your input in giving feedback to MrC would be very helpful!